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Information Assurance Throug 


Defense in 

□un armed forces increasingly rely 
on critical digital electronic informa¬ 
tion capabilities to store, process, 
and move essential data in planning, 
directing, coordinating and execut¬ 


ing operations, 

H owever, many of these 
systems have security 
weaknesses that can be exploit¬ 
ed by powerful and sophisticat¬ 
ed threats, which could result 
in unauthorized access, de¬ 
struction, disclosure, modifica¬ 
tion of data, or denial of ser¬ 
vice. Such system vulnera¬ 
bilities can jeopardize our most 
sensitive information capabili¬ 
ties. With deep, layered defens¬ 
es we can reduce vulnerabili¬ 
ties and deter, defeat, and 
recover from sustained, skill¬ 
ful, and penetrating assaults. 

Network Operations (NE- 
TOPS) provides the framework 
and procedures to manage the 
emerging Global Information 
Grid (GIG) of networked infor¬ 
mation capabilities. By inte¬ 
grating information assurance 
through Defense in Depth with 
Network Management and In¬ 
formation Dissemination Man¬ 
agement (IDM), NETOPS is a 
key enabler for CINCs to 
achieve information superiori¬ 
ty and accomplish their mis¬ 
sions. 

A good physical analogy of 
the fully developed medieval 
castle offers two valuable prin¬ 
ciples for designing Defense in 


Depth of information systems: 

1) formidable layered defenses; 

2) means to fight back actively. 
These castles were positioned 
to control the most significant 
terrain, serving to secure criti¬ 
cal logistics bases and com¬ 
mand and control centers for 
armed forces. Castles were 
built on strong foundations and 
often on high ground. They 
employed successive barriers, 
including water obstacles 
(moats), ditches, successive 
rings of strong and high walls, 
and towers. This defense struc¬ 
ture allowed a relatively small 
force of well-supplied person¬ 
nel, sentries, and men-at-arms 
to fight back and prevail against 
a much larger adversary. Just 
as a castle protected critical 
military resources in the Mid¬ 
dle Ages, we must defend and 
protect our vital military infor¬ 
mation today. 

The Defense in Depth ap¬ 
proach employs and integrates 
the abilities of people, opera¬ 
tions, and technology to estab¬ 
lish multilayer, multidimen¬ 
sional protection—like the 
defenses of a castle. The ap¬ 
proach employs successive lay¬ 
ers, using a variety of methods 
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at multiple, key locations, to 
prevent the potential break¬ 
down of barriers and penetra¬ 
tion to the innermost areas of 
the system. In a simple succes¬ 
sive-barriers strategy, the barri¬ 
ers might all use the same 
method, present¬ 
ing an adver 
sary 

breaks 
down one 
barri 


Network 
Management 




Network Operations (NETOPS) Model 

with another, and another, and 
another. But a simple strategy 
of redundancy will probably 
have little effect against differ¬ 
ent attack methods. Tb counter 
the variety of attack methods 
that may be used today, we 
must employ a comprehensive 
variety of security mechanisms 
that provide redundant protec¬ 
tion. To block attempts to gain 
access and do harm at different 
locations in the protected envi¬ 
ronment, we must also deploy 
defenses at multiple locations. 
No critical sector or avenue of 
approach into the sensitive do¬ 
main of the information system 
should be uncontested or un¬ 
protected. 

People 

To establish this protection, 
Defense in Depth integrates 
the abilities of people, opera¬ 
tions, and technology. 


People using technologies to 
conduct operations are the 
strategy's central element. Peo¬ 
ple design, build, install, oper¬ 
ate, authorize, assess, evaluate, 
and maintain protection mech¬ 
anisms. To gain and maintain 
the knowledge and exper¬ 
tise needed to perform 
these vital tasks, a 
comprehensive pro¬ 
gram of education, 
training, practi¬ 
cal experi¬ 
ence, and 
awareness 
is need¬ 
ed. We 
must re- 
0/ni cruit, re¬ 

tain, and 
wisely as¬ 
sign the 
best talent 
available. We also 
need a highly reliable person¬ 
nel security system of appro¬ 
priate background investiga¬ 
tions, security clearances, 
credentials, and badges to en¬ 
sure that only trustworthy per¬ 
sons have access. Finally pro¬ 
fessionalization and certifi¬ 
cation are important tools in 


developing a validated and rec¬ 
ognized cadre of experts and 
providing additional motivation 
for staff. 

Operations 

IA operations, the second el¬ 
ement in the strategy, involves 
policy, procedures, and execu¬ 
tion. IA policy drives opera¬ 
tions by establishing goals, 
courses of action, and stan¬ 
dards. It formally states the se¬ 
curity requirements for infor¬ 
mation systems, what must be 
protected, how resources are 
used, and what must be done 
and not done. Policy also estab¬ 
lishes standards that define 
uniform and common features 
and capabilities of security 
mechanisms, the rule or basis 
by which to measure the vari¬ 
ous dimensions of information 
assurance, and the desired or 
required level of attainment. 
Standard operating procedures 
(SOP) are then needed to en¬ 
sure adequate implementation 
of the prescribed policies. The 
SOP should define system con¬ 
figuration, deployment, routine 
operations, and incident re¬ 
sponse and reporting. Defined 
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procedures for addressing inci¬ 
dents are particularly critical. 
After an intrusion is detected, 
incident information must be 
reported through established 
channels to appropriate author¬ 
ities and specialized analysis 
and response centers. Incident 
response should then begin 
with immediate local emer¬ 
gency damage-limitation and 
survivability actions. These 
steps should all be stated in the 
SOP and implemented prompt¬ 
ly. Regional and national ex¬ 
perts might need to become in¬ 
volved when more 
sophisticated methods are nec¬ 
essary to confirm attacks, de¬ 
termine effects, and track 
down perpetrators. Execution 
of these tasks may be quite dif¬ 
ficult when distributed, coordi¬ 
nated, low-visibility network- 
based attacks occur across 
many systems over an extend¬ 
ed period of time. Careful, ef¬ 
fective, and timely decisions 
must be made concerning ap¬ 
propriate additional responses, 
such as: declaring a higher 
level security situation or infor¬ 
mation operations condition 
(INFOCON), isolating affected 
systems, or pursuing legal, 
diplomatic, economic, or mili¬ 
tary actions. Operations also in¬ 
cludes improving situational 
awareness, conducting IO-relat- 
ed exercises, and performing 
vulnerability assessments to 
improve our security posture. 

Technology 

The technology element of 
Defense in Depth focuses on 
four major areas 

• Networks that link enclaves 

• Enclave boundaries 

• Local computing environ¬ 
ments, or enclaves, and 

• Supporting infrastructures. 


Technology to 
Defend Networks 
Redundant and multiple data 
paths offer more than one 
available alternate physical 
medium or route for data trans¬ 
port. These measures serve to 
ensure continued transmission 
when intermediate enclaves or 
network components are de¬ 
graded or inoperable. Enclaves 
should be able to disconnect 
from external networks in a cri¬ 
sis, filter traffic to prevent the 
use of risky message segments, 
and control throughput. Provi¬ 
sions against denial of service 
should be included in agree¬ 
ments for commercial ser¬ 
vices—to avoid a single point of 
failure. In addition, automated 
tools for system monitoring 
and management should be 
employed on the network to 
collect and analyze observable 
phenomena and maintain 
knowledge of the status of sys¬ 
tems. These tools should be 
able to detect disruption and 
degradation that can indicate 
security problems. 

Technology to 
Defend the 
Enclave Boundary 
Defense of the enclave 
boundary is geared toward en¬ 
suring that all outside systems 
that seek access meet the secu¬ 
rity criteria of the enclave. 
Boundary defenses protect in¬ 
side data and services from out¬ 
side dangers. They also protect 
systems within the enclave that 
do not have their own self-de¬ 
fense capabilities. Some of the 
technologies to defend the en¬ 
clave boundary are: 

• Identification and authenti¬ 
cation tools, 

• Personal Identification 
Numbers (PINs), 


• Passwords, 

• Biometric mechanisms, 

• Firewalls, 

• Malicious code and virus 
detectors, 

• Intrusion detection and 
response tools, and 

• Guards. 

Technology to 
Defend the 
Local Computing 
Environment 

In defending the local com¬ 
puting environment, the IA 
challenge is to provide selected 
mechanisms (such as protected 
distribution systems) for pro¬ 
tection. In addition, effective 
tools must be used to deepen 
the defense by protecting the 
end-systems and capabilities 
and their internal components 
and associated peripheral de¬ 
vices. Technologies used for 
this purpose include: 

• Passwords, PINs, tokens, and 
biometrics, 

• Encryption, 

• Digital signatures, 

• System monitoring and man¬ 
agement tools, 

• Intrusion detection tools, 

• Malicious code and virus 
detectors, 

• Backup technologies, and 

• Software with its own access 
control features. 

Supporting 

Infrastructures 

All military organizations 
and operations, including IA, 
require a logistics structure to 
provide essential resources and 
support for maintenance, re¬ 
pair, and other vital services. 
Many of these services are pro¬ 
vided across garrison and de¬ 
ployed environments. IA De¬ 
fense in Depth also requires 
specialized support from 
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continued from page 5 

unique cryptographic capabili¬ 
ties and organized incident re¬ 
porting and response. 

The cryptography function 
must be resourced and man¬ 
aged to meet or exceed all re¬ 
quirements without disclosure 
or theft. We must continue to 
design and field equipment and 


must be delivered to organized 
capabilities in the chain of 
command, especially at the 
Military Department and Ser¬ 
vice, regional, and national/ 
global levels. Intrusion detec¬ 
tion information must be for¬ 
warded to specialized struc¬ 
tures with the ability to 
perform more sophisticated 
analysis and correlation of indi¬ 



VUe are only as strong as our weakest link! 


associated software that are re¬ 
liable, fast and secure. There 
must be a strong system to pro¬ 
duce, distribute, and manage 
public and private keys as well 
as digital certificates. Efforts 
are under way to improve the 
system by merging the current 
primary infrastructures for 
classified keys (Electronic Key 
Management System) and un¬ 
classified public keys (DoD 
Public Key Infrastructure). 

Detection, reporting, and re¬ 
sponse infrastructures are es¬ 
sential in discerning whether 
an intrusion is a local, isolated 
event or part of a more wide¬ 
spread, sustained, dangerous 
attack. The outputs from local 
use of tools and intrusion de¬ 
tection and response actions 


cations from a range of sources 
and agencies. DoD is now con¬ 
structing and improving a glob¬ 
al infrastructure to manage in¬ 
cident reporting and enable a 
coordinated, coherent re¬ 
sponse. Efficient operation of 
this infrastructure requires 
standardized reporting formats 
and procedures, automated 
support to transfer and analyze 
relevant data, and effective in¬ 
terface with other response ca¬ 
pabilities. 

The information assurance 
Defense in Depth approach will 
give us the ability to meet the 
tremendous IA challenges we 
face today and will face in the 
future. The complexity and 
power of electronic digital com¬ 
puting and telecommunications 
systems will increase, and our 
forces will continue to take full 
advantage of these capabilities 


in all types of operations. At the 
same time, however, adver¬ 
saries will be able to acquire and 
use these technologies against 
our critical and mission-essen¬ 
tial systems. Therefore, we 
must maximize the contribu¬ 
tions of certified experts, em¬ 
ploy disciplined operations 
guided by policies and using 
sound successful procedures, 
and field proven, reliable tech¬ 
nological solutions. In these ef¬ 
forts, the human factor is and 
will continue to be essential. It 
takes people to make and use 
technologies and to conduct IA 
operations. IA Defense in Depth 
depends on each of us. We must 
master new technologies, watch 
for new and changing threats 
and vulnerabilities, and contin¬ 
ue vigorous efforts to build a for¬ 
midable IA Defense in Depth. 
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I n 1995 I left the comfort and 
1 sanctuary of the Navy's EA- 
6B community at Whidbey Is¬ 
land, Washington, to assume the 
post of Fleet Electronic Warfare 
Officer of the U.S Second Fleet 
in Norfolk, Virginia. On the 
way, I attended a newly created 
course at the Armed Forces Staff 
College (AFSC) in Norfolk called 
Command and Control Warfare 
(C2W). Little did I know when I 
attended this course that within 
a month of my arrival at Second 
Fleet I would be up to my neck 
in what is now known as infor¬ 
mation operations (IO). My as¬ 
signment as fleet Electronic 
Warfare officer was twofold. 
First, draft the first-ever C2W 
appendix to a large force exer¬ 
cise operations order (OPORD). 
Second, develop a fully integrat¬ 
ed Joint T&sk Force (JTF) C2W 
strategy supporting the com¬ 
mander's intent and objectives. 
The first task was a snap. My 
training at AFSC provided me 
with the fundamentals I needed 
to breeze through the OPORD 
writing process. The C2W ap¬ 
pendix was completed in record 
time. The remaining task, how¬ 
ever, was daunting to say the 
least. I was overwhelmed. AFSC 
taught me the goals of a C2W 
strategy but never showed me 
how to actually build one. Since 
I was the only trained C2W guy 
on the Second Fleet's staff, the 
task of executing C2W doctrine 
fell squarely on my shoulders. 
Enter Matrix Mission 
Planning (M1N/IP). 


It soon became readily appar¬ 
ent that the one thing an infor¬ 
mation operations planner 
needs most is information—and 
lots of it. I studied the objectives 
of both the Commander-in- 
Chief (CINC) and the JTF Com¬ 
mander to derive a clear under¬ 
standing of the operations 
timeline and the implied and 
specified tasks of the subordi¬ 
nate commanders. Armed with 
this knowledge, I still could not 


tie all the information together. 
After a number of frustrating at¬ 
tempts, I began to lay out JTF 
objectives and tasks in a matrix 
to visualize the sequence of 
events that would take place in 
the operation (Figure 1). Light¬ 
ning struck! I realized that I 


CDR Mark L. Nold, USN 


could use this format to balance 
C2W capabilities with JTF ob¬ 
jectives and tasks (Figure 2 on 
page 8). I could now easily lay 
out a general C2W strategy that 
truly complemented JTF objec¬ 
tives and fully integrated C2W 
in support of the campaign. Our 
meager staff of three worked 


diligently to develop the general 
C2W strategy that we would pre¬ 
sent to the JTF commander (see 
Figure 3 on page 8). 

The boss was impressed and 
we embarked on the develop¬ 
ment of specific matrices (Fig- 
continued on page 8 
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Figure 1. Matrix of JTF Objectives and Tasks 
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Figure 2. Balancing C2W Capabilities with JTF Objectives 


ure 3) for each of the C2W ca¬ 
pabilities in our arsenal 
(OPSEC, military deception, 
PSYOP, destruction, and elec¬ 
tronic warfare). The matrices 
provided us with detailed plans 
for each capability, which were 
synchronized along the same 
timeline with the general C2W 
strategy, allowing us to identify 
showstoppers, specify required 
assets, and ensure that our 
strategy was sound and exe¬ 
cutable (Figure 4). In addition, 
we created specific matrices for 
other capabilities that would be 
integral to the strategy (Special 
Operations Forces support, sur¬ 
veillance, and C2 Protect) (see 
Figure 2). 

Once the C2W (10) Cell was 
established aboard the flag ship 
(U.S.S. Mt. Whitney), the gen¬ 
eral and specific matrices were 
submitted for refinement and 
finalization of the strategy. The 
finished product allowed the 
cell to generate the C2W target 
set needed for facilitating the 
strategy and to begin lobbying 
component representatives to 
rank our targets high on the 
Joint Integrated Prioritized Tar¬ 
get List (JIPTL). 

We had done it! 

But we still had to see our plan 
through to execution. There 
were a thousand moving parts, 
each one critical to the plan. To 
manage this behemoth, we 
pulled every event from the 
matrices and created a single 
execution checklist (Figure 5), 
which described each event in 
detail in terms of date, time, ex¬ 
ecuting unit, target, linked or 
other dependent events, and 
objectives. The Current Opera¬ 
tions branch of the cell (not a 


doctrinal entity) tracked the 
progress of this checklist. Cur¬ 
rent Operations then provided 
feedback to the cell, where the 
strategy was reassessed and 
modifications were developed 
based on its success or failure 
in particular events. 


The exercise was a success 
from an 10 point of view, and 
matrix planning was the key. 
The process has evolved since 
that first effort,* but the ap¬ 
proach pioneered in the initial 
attempt has been repeated suc¬ 
cessfully several times since its 
creation. 



Figure 3. C2W Capability-Specific Matrices 
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Matrix mission planning can 
work for you. It provides a 
sound mechanism that ensures 
that IO is fully integrated as it 
was intended—as a synergistic, 
supporting strategy that opti¬ 
mizes capability in relation to 
need. As the IO arena expands, 
the need for an organized ap¬ 
proach to IO strategy planning 
becomes more and more criti¬ 
cal. MMP is a vehicle that can 
ensure future capabilities are 
integrated seamlessly and ef¬ 
fectively in information opera¬ 
tions. 

Matrix Mission Planning 
methods are now taught as part 
of the Armed Forces Staff Col¬ 
lege Joint Command and Con¬ 
trol and Information Warfare 
School (JCIWS) curriculum. ^ 



Figure 4. Executable Checklist 


Commander Nold received his BS. in 
biology from Fort Hays State University 
in 1978 and commissioned a Second 
Lieutenant in the US. Marine Corps. In 
1989 he transferred to the US. Navy. 
CDR Nold obtained his M.B.A. in 
Business Administration (Quality 
Management) from City University in 
1994 and assumed command of the 
Electronic Attack Weapons School in 
April of 1999. He may be reached at 
noldml@yahoo. com. 



Figure 5. Detailed Planning 
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A s the Army expanded its 
efforts against hackers, 
the Army Computer Emer¬ 
gency Response Team 
(ACERT) expanded its protec¬ 
tion of the Army’s 
MAJ Glen Teasley, USA I electronic high- 
MAJ David Papas, USA | ways using the 
latest in technolo¬ 
gy and the best in expertise. 
The ACERT is the Army’s op¬ 
erational element for comput¬ 
er network defense. It con¬ 
ducts command and control 
protection operations in sup¬ 
port of the U.S. Army to en¬ 
sure the availability, integrity, 
and confidentiality of the in¬ 
formation and information 
systems used by commanders 


worldwide. The ACERT is a di¬ 
vision of the Land Information 
Warfare Activity (LIWA) locat¬ 
ed within the U.S. Army Intel¬ 
ligence and Security Com¬ 
mand at Fort Belvoir, Virginia. 

The ACERT consists of three 
branches: the regional CERT 
(RCERT) branch, the coordina¬ 
tion center branch, and the 
computer defense assistance 
branch (Figure 1). 

The RCERT branch manages 
the functional and operational 
support requirements of the 
four field RCEKLs—RCERT Pa¬ 
cific at Fort Shatter, Hawaii; 
RCERT Europe in Mannheim, 
Germany; the RCERT Conti¬ 
nental United States (CONUS) 


Chief 
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Figure 1. ACERT Organizational Structure 
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at Fort Huachuca, Arizona; 
and RCERT Korea in T&egu, 
Korea. The RCERTs are co-lo- 
cated with Army Signal Com¬ 
mand's (ASC) Theater Net¬ 
work and Systems Operation 
Centers (TNSOC). By leverag¬ 
ing both the ASC's network op¬ 
erational function and the 
ACERT's network security 
function, each area of respon¬ 
sibility receives enhanced net¬ 
work support and constant vig¬ 
ilance for network security. 
The close working relationship 
between the ACERT, RCERTs, 
and the TNSOCs ensures the 
Army's ability to communicate 
worldwide is successful and 
accomplished in a secure man¬ 
ner. 

The coordination center 
branch receives computer inci¬ 
dent and intrusion reports, 
conducts analysis of vulnera¬ 
bilities, provides technical as¬ 
sistance to network and sys¬ 
tem administrators and 
managers, analyzes new virus¬ 
es and anti-virus software, and 
monitors network intrusion 
devices that support the Crim¬ 
inal Investigation Command 
(better known as CID) investi¬ 
gations. 

The computer defense assis¬ 
tance branch provides a tool 
for Army commanders and 
their staffs to use in assessing 
their network security. The 
program is designed as a 
"white hat" external assess¬ 
ment; the results are shared 
only with the unit assessed. 
Commanders use the informa¬ 
tion to improve their network 
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security and lessen the vulner¬ 
abilities that may allow unau¬ 
thorized access. 

Program objectives focus on 
ensuring the overall security 
configuration of the networks 
and identifying potential 
points of unauthorized access 
into networks. Objectives also 
focus on validating vulnerabil¬ 
ities and assessing the depth 
and degree of a potential com¬ 
promise, and recommending 
methods, techniques, and con¬ 
figuration modifications need¬ 
ed to secure the scanned net¬ 
works. 

In December 1998 the Army 
deputy chief of staff designat¬ 
ed the ACERT as the Army 
force for the Joint Task Force - 
Computer Network Defense 


(JTF-CND). In this capacity, 
the director of the LIWA serves 
as the commander of Army 
forces and ensures the securi¬ 
ty of all Army networks. On a 
daily basis, the ACERT is fully 
engaged as a synchronized 
component of the JTF-CND 
team, protecting Department 
of Defense (DoD) networks 
worldwide. 

The ACERT, in its mission to 
protect Army networks, coor¬ 
dinates daily with organiza¬ 
tions both internal and exter¬ 
nal to the Army. Coordination 
within the Army includes the 
offices of the deputy chief of 
staff for operations, Office of 
the Director of Information 
Systems for Command, Con¬ 
trol, Communications and 


Computers (ODISC4), Deputy 
Chief of Staff for Intelligence, 
ASC, and CID. The ACERT co¬ 
ordinates with the following 
organizations and agencies 
outside of the Army: Air Force 
CERT, Navy Computer Inci¬ 
dent Response Team, DoD 
CERT, Marine Corps’ Marine 
Intrusion Detection Analysis 
Section (MIDAS), Coast Guard 
CERT, Federal CERT, Carnegie 
Mellon University (CMU) 
CERT, and the Federal Bureau 
of Investigation's (FBI) Nation¬ 
al Infrastructure Protection 
Center. Coordination encom¬ 
passes collaboration and tech¬ 
nical efforts involving vulnera¬ 
bilities and their 

recommended solutions. 

continued on page 12 
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continued from page 11 

To capture the massive 
amounts of data required to 
maintain situational aware¬ 
ness, the ACERT has devel¬ 
oped a database that stores 
data on all reported or identi¬ 
fied incidents and intrusions 
to Army automated informa¬ 
tion systems. In addition, the 
JTF-CND and the service com¬ 
ponents have developed the 
Joint CERT Database. This 
database will allow the ACERT, 
other service CERT/CIRTs, 
DoD CERT, and the JTF-CND 
to share information and con¬ 
duct analyses on incidents. In 
this way, all DoD CND ele¬ 
ments can share information 
and protect against identified 
possible threats. 

A system administrator/op- 
erator who detects any auto¬ 
mated information system se¬ 
curity incident is required by 
regulation (AR 380-19) to im¬ 
mediately report it to the in¬ 
formation systems security of¬ 
ficer, who will notify the 
installation systems security 
manager. Concurrently, the 
system administrator /opera¬ 
tor will notify the appropriate 
RCERT and request technical 
assistance. The RCERT verifies 
that an incident or intrusion 
has occurred and reports it to 
the ACERT. If an intrusion has 
occurred, the ACERT reports it 
to DCSOPS Information War¬ 
fare Office (DAMO-ODI), 
ODISC4, DoD CERT, and Joint 
Task Force-Computer Network 
Defense. The ACERT also noti¬ 
fies both the Army CID’s Com¬ 
puter Crime Resident Agency 
and the Army Central Control 
Office, U.S. Army Intelligence 
and Security Command. 

The ACERT monitors the 
Army’s Information Assur¬ 


ance Vulnerability Alert 
(IAVA) process. The IAVA 
process is a DoD-mandated 
process for disseminating in¬ 
formation and required ac¬ 
tions on serious vulnerabili¬ 
ties to or attacks on DoD 
automated information sys¬ 
tems. The ACERT publishes 
IAVA messages to disseminate 
information and required ac¬ 
tions on new and critical vul¬ 
nerabilities to automated in¬ 
formation systems. IAVA 
messages are disseminated by 
a general service message 
(GENSER) to all Army major 
commands and by the ACERT 
list server to all subscribers. 
IAVA messages are directed by 
the DoD CERT, Army ODISC4, 
or the ACERT. 

The IAVA process for the 
Army requires that informa¬ 
tion assurance officers at 
major commands report re¬ 
ceipt of an IAVA message with¬ 
in 5 days and report compli¬ 
ance with the required actions 
or submit a waiver within 30 
days. This timeline can be ac¬ 
celerated based on the critica- 
liness of the vulnerabilities ad¬ 
dressed (see figure 2 on page 
11). The status of major com¬ 
mands’ IAVA compliance is 
monitored in the Army by 
both the ODISC4 and deputy 
chief of staff for operations, 
and in DoD by JTF-CND and 
the deputy secretary of de¬ 
fense. 

Two initiatives guide ACERT 
into the future: a fully inte¬ 
grated incident database and 
predictive analysis. 

The predictive analysis 
process identifies potential at¬ 
tacks against Army networks. 
Predicting network attacks 
provides the commander a 

continued on page 17 
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JTF-CND and AFCERT 

Allies in the Information War 


W ith the constant threat 
of computer attack 
looming in today's expanding 
realm of information opera¬ 
tions (IO), it is vital that we 
employ the most advanced 
tactics in computer network 
defense (CND). The expan¬ 
sion of global communication 
lines and the development of 
new technologies bring with 
them an increased vulnerabili¬ 
ty to exploitation. The Joint 
Thsk Force-Computer Net¬ 
work Defense (JTF- \ 

CND) allows us to \ > 

better integrate re- X\ 
sources and to N 
erect a powerful v 
defense barri- 
er against 
our adver- 

saries. The - 

Air Force 
Informa- ” IBi - 

tion War- — 

fare Center 


(AFIWC/CC) has been desig¬ 
nated as Commander Air 
Forces (COMAFFOR) for the 
JTF-CND. Among its responsi¬ 
bilities is coordination of joint 
defense against computer at¬ 
tacks on DoD information sys¬ 
tems. 

The AFIWC, co-located with 
the Air Intelligence Agency, is 


Capt Karl Grant, USAF 
2nd Lt Becca Legd, USAF 


joint \ \ \ 

X\WV 




the Air Force information war¬ 
fare (IW) center of excellence. 
It explores, applies, and dis¬ 
seminates offensive and de¬ 
fensive information warfare 


^ capa- 
-■ l bilities for 

rnmmmm -operations, 

— a c q u i s i - 

^ tion, and 

^ testing. The 
center pro- 
vides IW ser- 
vices to the 
warfighter in 
V contingencies 
and exercises 
through quantitative 
\ analysis, modeling and 
simulation, database, and 
technical expertise in com¬ 
munication and computer se¬ 
curity. The AFIWC's team of 
more than 1,000 military and 
civilian personnel is skilled in 
operations, engineering, oper- 

continued on page 7 4 
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continued from page 13 

ations research, intelligence, 
radar technology, communica¬ 
tions, and computer applica¬ 
tions. 

Within the AFIWC, the Air 
Force Computer Emergency 
Response Team (AFCERT) 
under the COMAFFOR is the 
execution element for the 
JTF-CND. Established in 1992, 
the AFCERT is the oldest orga¬ 
nization of its kind in the De¬ 
partment of Defense and is 
the focal point for information 


protection of Air Force net¬ 
worked command, control, 
communications, and comput¬ 
er systems. The AFCERT’s pri¬ 
mary mission is to provide in¬ 
trusion detection, vulnera¬ 
bility assessments, and inci¬ 
dent response operations 24 
hours a day, 7 days a week 
(24x7). 


Since its inception, the 
AFCERT has grown and re¬ 
fined its intrusion detection 
techniques to counter the con¬ 
stantly changing threat to Air 
Force networks. The team’s 94 
military, civil service, and 
contractor personnel monitor 
networks at more than 120 lo¬ 
cations worldwide. The moni¬ 
toring of these sites is an enor¬ 
mous undertaking. For 
example, an estimated 6 bil¬ 
lion connections were 
screened in 1998. Of those 
connections, 68 were identi¬ 


fied by the AFCERT as at¬ 
tempts to disrupt or exploit 
Air Force operations. 

lb aid in screening connec¬ 
tions, the AFCERT relies on a 
tool called Automated Security 
Incident Measurement (ASIM). 
ASIM looks for suspicious or 
malicious traffic crossing Air 
Force networks, providing 


both a real-time warning and 
detailed information about the 
activity. The warning and in¬ 
formation enable comman¬ 
ders to know where any suspi¬ 
cious activity originates, 
whether critical information 
has been compromised or 
changed, and whether the sys¬ 
tem in question can be trust¬ 
ed. 

On the preventive side, the 
AFCERT conducts vulnerabili¬ 
ty assessments on Air Force 
networks with a software tool 
set called On-line Survey 
(OLS). OLS looks for security 
holes in a network and can de¬ 
tect vulnerabilities that a 
hacker may use to gain access 
to an Air Force system. In ad¬ 
dition, because OLS opera¬ 
tions appear to users and sys¬ 
tem administrators as 
unauthorized activity, OLS is 
used to exercise the bases’ or 
units’ activity, detection, and 
reporting ability. 

Incident response is one of 
AFCERT's most important ser¬ 
vices. When a suspicious or 
malicious activity on a system 
meets a predetermined 
threshold, the AFCERT - DES¬ 
IGNATES IT AS AN INCI¬ 
DENT, initiating a flurry of ac¬ 
tivity in a very short time. 
First, the chain of command is 
notified by the using organiza¬ 
tion (with the help of the Inci¬ 
dent Response Team and the 
Air Force Officer of Special In¬ 
vestigations [AFOSI]). De¬ 
pending on the criticality of 
the affected computer system, 
a decision is made on whether 
to isolate the system and pull 
it off the network. If the com¬ 
puter system is not deemed 
mission-critical, it may be left 
on-line so more information 
can be collected about the 
hacker. If any type of illegal 
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activity is found, the AFOSI 
gets involved. AFOSI has the 
option of initiating its own on¬ 
site monitoring and pursuing 
prosecution. The AFCERT pro¬ 
vides technical assistance to 
AFOSI investigations as need¬ 
ed. If it is determined that the 
base does not have the re¬ 
sources to secure the system 
or return it to normal opera¬ 
tions, the base commander 
may request AFCERT aug¬ 
mentation. AFCERT and its 
sister divisions' joint incident 
response teams stand ready to 
recover such systems and can 
deploy to any location with 
less than 2 hours notice. 

To perform intrusion detec¬ 
tion, vulnerability assessment, 
and incident response opera¬ 
tions effectively, the AFCERT 
relies on several organiza¬ 
tions. The AFIWC's Counter¬ 
measure and Computer Secu¬ 
rity Engineering Teams 
provide research and red- 
teaming support to Air Force 
organizations and can aug¬ 
ment AFCERT operations dur¬ 
ing OLS assessments, incident 
responses, and peak periods. 
AFIWC's Threat Analysis 
branch provides intelligence 
inputs, and the 690th Intelli¬ 
gence Operations Squadron's 
Cyberwatch provides indica¬ 
tions and warning data. The 
Air Force's Network Opera¬ 
tions Center is the Air Force's 
execution element for block¬ 
ing connections recommend¬ 
ed by the AFCERT at the Air 
Force enterprise-wide routers. 
Network Operations and Secu¬ 
rity Centers (NOSCs) and Net¬ 
work Control Centers (NCCs) 
provide Major Command- 
level and base-level support 
thereby channeling vital infor¬ 
mation to the AFCERT and en¬ 
suring that downward-directed 


tasks are completed. The con¬ 
tinued success of the AFCERT 
is due in part to the outstand¬ 
ing assistance and support 
that these organizations pro¬ 
vide. 

As the Air Force component 
lead to the JTF-CND, the 
AFCERT reports intrusion de¬ 
tection and incident response 
information and coordinates 
Air Force support to meet JTF- 
CND directives. In addition, 
the AFCERT assists with poli¬ 
cy and procedural develop¬ 
ment and implementation. 
The AFCERT and AFIWC have 
been involved in several JTF- 
CND initiatives to standardize 
reporting processes across the 
Unified Command Comman- 
der-in-Chief (CINC)-Service- 
Agency (C/S/A) spectrum. 
Among the many projects to 
which the AFCERT, its sister 
divisions, and the AFIWC have 
contributed are the Joint 
Threat and the Joint CERT 
databases. These are two sys¬ 
tems that will improve the 
JTF-CND's ability to correlate 
incoming information and co¬ 
ordinate an appropriate re¬ 
sponse to suspicious activity 
that crosses C/S/A bound¬ 
aries. The AFCERT, its sister 
divisions, and the AFIWC have 
represented Air Force inter¬ 
ests at numerous JTF-CND 
conferences and exercises and 
will continue to provide the 
support needed for the suc¬ 
cessful defense of Air Force 
and DoD network systems. 

The interface between the 
AFCERT and operational units 
is the Information Warfare 
Flight (IWF) at the Numbered 
Air Forces. It is critical that 
the CINCs have the tools and 
the knowledge they need to 
make informed decisions for 
their units about CND. One of 


the roles of the IWF is to pro¬ 
vide this support by integrat¬ 
ing IW activities into the nor¬ 
mal campaign planning and 
execution process. By giving 
AFFOR a single IW focal point, 
the IWFs provide the structure 
to plan and execute IW for the 
warfighter. In doing so, they 
provide the reach-back capa¬ 
bility to enable units to con¬ 
duct 24 x 7 operations real¬ 
time. As Col Richard Stotts, 
AFIWC/CC, said in his address 
to the Armed Forces Commu¬ 
nications and Electronics As¬ 
sociation Symposium, "lb op¬ 
erationalize [Defensive Counter 
Information], we must look at 
all the resources necessary to 
promote our information re¬ 
source as a weapon system if 
we are to achieve the greatest 
use and protection of our in¬ 
formation." With the AFCERT's 
support and resources to the 
IWFs, we can ensure that our 
units are well informed and 
prepared to handle any attack 
on their networks. 

Information superiority is 
critical in today's defense of 
DoD computer systems and 
networks. Coordination of ef¬ 
fort in the JTF-CND and inte¬ 
gration of DoD resources in all 
facets of IO enables us to fight 
aggressively and win the infor¬ 
mation war. v 


Captain Grant received his B.S. in 
Computer Science from Embry-Riddle 
University, Prescott, Arizona. He sup¬ 
ports AFCERT Operations at the Air 
Force Information Warfare Center. He 
may be reached at 210.977.3158. 

2nd Lieutenant Lege received her 
B.S. in physics from Loyola University, 
New Orleans, Louisiana. She may be 
reached at ralege@afiwc.aia.af.mil. 
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Marine Forces 
Computer Network Defense 




A ny Marine will tell you 
that the Fleet Marine 
Force (FMF) is the place to be if 
you want to be a real Marine. 
Operational commitments, de¬ 
ployments, leadership in the 
face of adversity—all the activi¬ 
ties you've read about—hap¬ 
pens out in the FMF. Unfortu¬ 
nately, a set of orders to report 
to a job inside the beltway (the 
highway surrounding the Wash¬ 
ington, D.C. metropolitan area) 
is usually the first step toward a 
lifelong commitment as a desk 
jockey and sworn enemy of the 
nation's forests. You trade all 


the fun of being an FMF Ma¬ 
rine for 2 hours a day in a 
Route 95 van pool that now dio 
tates the exact number of hours 
you spend at work. The 
Marines with whom you sweat¬ 
ed, struggled, and persevered 
in the streets of Pohang are 
now replaced by government 
service employees and contrac¬ 
tors who really don't under¬ 
stand what’s so enjoyable about 
pulling CAT 5 through the 
sands of SWA at 02:00 while in 
MOPP 4. But just within the 
past year, the establishment of 
the Joint Task Force-Computer 


I Major E. H. Ted Steinhauser, 
IISMC [Retired) _ 

Network Defense (JTF-CND) 
along the sheltered suburban 
streets of Washington, D.C., 
helped bring back some of the 
operational feel of wearing a 
set of utilities at the crossroads 
of the Corps. 

The JTF-CND was the result 
of Presidential Decision Direc¬ 
tive 63 and events such as Eli¬ 
gible Receiver and Solar Sun¬ 
rise, Protection of the Nation’s 
Critical Information Infrastruc¬ 
ture. Under its charter, 
the JTF-CND is respon¬ 
sible for establishing a 
fully operational JTF 
capable of coordinating 
the defense of the De¬ 
fense Information In¬ 
frastructure (DII). Each 
service was tasked with 
providing a component 
to the JTF in mutual 
support of the DII sub¬ 
ordinate elements. The 
Marine Forces Comput¬ 
er Network Defense 
(MARFOR-CND) is the 
Marine Corps compo¬ 
nent of a standing JTF. 
No set working hours, 
no predictable sched¬ 
ule-MARFOR-CND 
even has a real enemy, 
which is not only per¬ 
ceived to be "out there" 
but also routinely 
probes the Listening 
Posts (LPs) and Obser¬ 
vation Posts (OPs) to 
see if they're awake. A 
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renewed sense of purpose has 
been instilled in the Marines 
working to support the connec¬ 
tivity for the Marine Corps En¬ 
terprise Network (MCEN). 

The easiest part of bringing 
the MARFOR-CND on line was 
recognizing that it had an out¬ 
standing high ground from 
which to defend. Those of us in 
the information security busi¬ 
ness all know that to achieve 
anything resembling a secure 
network, we must view the sys¬ 
tem from the perspective of 
pessimistic vulnerability 
hunters who are unwilling to 
accept that today's working so¬ 
lution will stand up against to¬ 
morrow's emerging threat. The 
Marine Corps did it right, as 
they've always done. Nearly 
from its conception, the MCEN 
was engineered with security 
in mind. The big picture was 
thoroughly examined to ensure 
an understanding of why the 
system was brought into exis¬ 
tence, and built the system 
with the aim of providing glob¬ 
al support to the deployed com¬ 
mander. By dismissing the 
complexity caused by geo¬ 
graphical separation, the 
Marines employed the funda¬ 
mental aspects of true enter¬ 
prise network symmetry and 
simply put, did what needed to 
be done. From the first scrib¬ 
bles of a few network engineers 
on restaurant napkins, to 
lengthy conversations over a 
couple of beers, the plan to 
construct a global network that 
was sustained, maintained, ad¬ 
ministered, protected, and de¬ 
fended from a central location 
was put into place. 

In conjunction with the truly 
expeditionary nature of the Ma¬ 
rine Corps, the MARFOR-CND 
Marines want to expand their 


capability beyond the MCEN 
garrison network. In a contin¬ 
ued effort to protect the Marine 
Corps—deployed information 
architectures, the Marines will 
be fielding deployed security 
interdiction devices (DSID) to 
the FMF communication battal¬ 
ions. The DSID is designed to 
provide a defense in-depth, 
boundary-level architecture, 
composed of "best of breed" 
commercial off-the-shelf (COTS) 
security technologies. This de¬ 
sign will enable the next gener¬ 
ation of Marines to carry with 
them to the field technology 
that allows a tactical computer 
network defense in depth. 

The instrumental catalyst 
that makes the Marine Corps 
component unique among the 
JTF components is operations 
security (OPSEC). This article 
did not include many details 
about the way in which the Ma¬ 
rine Forces Component 
achieved this success, because 
we know that any information 
about the tools of information 
system security success is 
merely a new essential ele¬ 
ment of information (EEI) for 
our enemy to use against us. 
The Marines understand tactics 
well. Although the successes 
produced by the MARFOR-CND 
are unlikely to result in a new 
verse of the Marines Hymn, 
the Marines have assumed this 
newest mission with as much 
seriousness and intensity as 
they have applied to any past 
battle. ^ 

Mr. Steinhauser has been actively 
engaged as the MARFOR-CND Plans 
Officer in the conception and establish¬ 
ment of the Marine Corps' component of 
the Joint Task Force-Computer Network 
Defense. He may be reached at stein- 
hauserth@noc. usmc.mil. 
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proactive means for selecting 
the best course of action for 
protecting networks. The 
ACERT analytical sections pre¬ 
dictive analysis capability is 
integrated into a multi-faceted 
LIWA analytical architecture. 
This structure also includes 
vulnerability assessment 
analysis via the information 
operations vulnerability as¬ 
sessment division and Com¬ 
puter Defense Assistance Pro¬ 
gram, reverse engineering and 
technical analysis of hacker 
tools via the LIWA Laboratory, 
and threat analysis via the in¬ 
telligence branch. 

As a key Army element 
responsible for ensuring infor¬ 
mation assurance, the ACERT, 
in its capacity as the ARFOR- 
CND, maintains a vigilant 
watch for the numerous risks 


and threats to Army automat- 


ii|iI|i|;i^i|^fmation systems . and 
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Major David Papas 
AC CRT Coordination Center for the 
Land Information Warfare Activity at 
Port Bclvnfr VA. He holds B.S. degrees 
m computer science software program¬ 
ming and systems engineering from the 
University of Southern Mississippi and 
is a graduate of the Army's Computer 
Science School. 
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Navy Computer 
Network Defense 



T he Navy Component Task 
Force-Computer Net- 
work Defense (NCTF-CND) is a 
component of, and directly 
supports, the CND mission of 
the Joint Thsk Force-Computer 
Network Defense (JTF-CND). 
NCTF-CND missions include— 

• Determining when Navy sys¬ 
tems are under computer 
network attack (CNA), assess¬ 
ing an attacker's impact on 
military operations and capa¬ 
bilities, and notifying the 
JTF-CND and the user com¬ 
munity of the threat 
• Coordinating and directing 
appropriate Navy actions to 
stop CNA, contain damage, 
restore functionality, and 
provide feedback to the user 
community 

• Developing contingency 
plans, tactics, techniques, 
and procedures to defend 


Navy computer networks 
and supporting the CND plan¬ 
ning of Fleet Commanders-in- 
Chief (CINCs) 

• Assessing effectiveness of 
defensive actions and main¬ 
tain current assessment of 
operational impact on the 
Navy 

• Coordinating as required 

with the Naval Computer 
and Telecommunications 
Command (NCTC), the Fleet 
Information Warfare Center 
(FIWC), the Naval Security 
Group, the Office of Naval 
Intelligence, the Naval 
Criminal Investigative 

Service (NCIS), and other 
agencies and private sector 
partners to defend Navy net¬ 
works 

• Monitoring status of Navy 
computer networks 

• Monitoring Computer 

Incident Response Team 


(CIRT) alerts, warnings and 
advisories, and serving as a 
critical node in the indica¬ 
tions and warnings (I&W) 
reporting cycle 

• Participating in Navy exercis¬ 
es to conduct computer net¬ 
work defense training 

• Assessing threats to Navy 
computer systems, based on 
all-source fused intelligence, 
from potential CNAs against 
Navy computers and net¬ 
works 

• Providing information to, 
and receiving direction from, 
the CJTF-CND and providing 
liaison to Navy organiza¬ 
tions, as required 

• Coordinating and directing 
appropriate actions to ensure 
that Navy pages resident on 
the World Wide Web are in 
compliance with prescribed 
DoD and Navy doctrine or 
policy 
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• Serving as the Navy's report¬ 
ing agent for Information 

Assurance Vulnerability 

Alert (IAVAs). 

The NCTF-CND is com¬ 
prised of 14 officers, enlisted 
persons and civilians. It is co¬ 
located with the NCTC to pro¬ 
vide a comprehensive view of 
Navy networks. This network 
operations view, in combina¬ 
tion with the network security 
picture provided by FIWC, al¬ 
lows NCTF-CND to rapidly 
identify threats to computer 
networks. 

In its first trial, NCTF-CND, 
working closely with the 
FIWC's Navy Computer Inci¬ 
dent Response Team (NAV- 
CIRT), was able to disseminate 
critical, timely information 
about the Melissa virus, which 
contributed to the rapid con¬ 
tainment of the virus on Navy 
networks. In comparison, 
many civilian networks were 
taken off-line for days or weeks 
to recover from the damage 
this virus did. 

NCTF's partnership with the 
NAVCIRT division of FIWC ex¬ 
tends beyond this one incident. 
As Navy's information opera¬ 
tions center of excellence, 
FIWC conducts forensic analy¬ 
sis of computer intrusion inci¬ 
dents and provides technical 
assistance to commands to re¬ 
store networks. NAVCIRT also 
conducts on-line surveys of 
networks to identify vulnera¬ 
bilities to command leadership, 
users, and system administra¬ 
tors. 

NCTF-CND has also been 
vested with several significant 
network security-related mis¬ 
sions, including Information 
Operations Condition (INFO¬ 
CON), Navy Web-page Risk As¬ 


sessment (NWRAC), and IAVA 
and compliance reporting. 

As the manager of the INFO¬ 
CON program, NCTF-CND, 
through the Chief of Naval Op¬ 
erations (CNO) N6, issues guid¬ 
ance Navy-wide on implemen¬ 
tation of the program and 
makes Service-level INFOCON 
posture recommendations to 
CNO. NCTF-CND coordinated a 
Navy-wide INFOCON exercise, 
which was conducted from late 
November to early December 
1999 to ensure that INFOCON- 
level implementation and the 
associated operational impacts 
are well understood by all Navy 
commands. NCTF-CND also 
has responsibility for assessing 
the operations security posture 
of publicly accessible Navy 
Web sites. In collaboration with 
FIWC and Commander, Naval 
Security Group, the Comman¬ 
der, Naval Reserve Security 
Group is developing a Web- 
based database and reporting 
mechanism that significantly 
improves Naval Reserve Securi¬ 
ty Group operators' ability to 
check web pages for compli¬ 
ance with established DoD and 
Navy instructions and their 
ability to expeditiously notify 
commands of their findings. 

IAVAs alert DoD network 
users to vulnerabilities in oper¬ 
ating system and application 
software and direct corrective 
measures. NCTF-CND has as¬ 
sumed the IAVA mission and, 
with system development sup¬ 
port from NCTC, is implement¬ 
ing a Web-based compliance 
tracking system that signifi¬ 
cantly improves the timeliness 
and quality of IAVA compli¬ 
ance. 

At the vortex of Navy net¬ 
work operations, the NCTF- 
CND has coordinated with all 
Navy second-echelon com¬ 


mands on the performance of 
several data collection efforts 
in support of the Navy-Marine 
Corps intranet and the Assis¬ 
tant Secretary of Defense for 
Command, Control, Communi¬ 
cations and Intelligence [ASD 
(C3I)]-directed Unclassified 
but Sensitive Internet Protocol 
Router Network (NIPRNET)/ 
Internet gateway survey. 

Early on, NCTF-CND recog¬ 
nized the need to create a tool 
to capture critical network and 
organizational information, 
marrying network Domain 
Name Service (DNS) server in¬ 
formation and Internet Proto¬ 
col addresses with organiza¬ 
tional and chain-of-command 
information. The result is bet¬ 
ter and more timely dissemina¬ 
tion of network defense infor¬ 
mation and direction 
Navy-wide and improved re¬ 
porting timeliness of compli¬ 
ance with JTF and NCTF task¬ 
ing and direction. 

The preceding examples 
highlight the NCTF-CND's di¬ 
verse missions. The first line of 
network defense is still the 
skill and operational awareness 
of network system administra¬ 
tors and users. A well-trained, 
well-informed cadre of system 
administrators and users, cou¬ 
pled with a system of rapidly 
disseminated advisories and di¬ 
rection, are key ingredients in 
the success of the computer 
network defense mission. As 
DoD and Navy move forward 
together into the next millenni¬ 
um, NCTF-CND will play an in¬ 
creasing role in the develop¬ 
ment and implementation of 
strategies that ensure that 
Navy networks are available 
when needed in peace, crisis 
and war, and the return to 
peace. ft 
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Monitoring 
and Protecting the 


■he protection and defense 
of operational networks is 
the mission of the Global Net¬ 
work Operations and Security 
Center (GNOSC), which is part 
of the Defense Information 
Systems Agency (DISA) opera¬ 
tions directorate. The GNOSC 
consists of five branches. The 
Field Security Operations 
branch, at Letterkenny Army 
Depot, provides 
MAJ Rod Laszlo, USA I security ser- 
CW5 Bruce Gardner, USA | vices to the De¬ 
fense Megacen¬ 
ters and to the Commanders in 
Chief (CINCs). The Plans 
branch provides long-range 
strategic planning for the De¬ 
fense Information 
I nfrastructure 
(DII). The Support 
branch provides 
support for daily 
internal operations 
of the GNOSC. The 
Operations branch, 
located at DISA 
headquarters in 
Arlington, Virginia 
is responsible for 
the day-to-day 
management of 
the DII. The re¬ 
maining branch, 
the Department of Defense 
Computer Emergency Re¬ 
sponse Team (DoD-CERT) is 
the joint-level CERT for DoD. 

Within the GNOSC, direct 
day-to-day monitoring and pro¬ 
tection of the DII is the job of 
the Operations branch. This 
branch, which is staffed 24 
hours a day, 7 days a week, is 
responsible for managing, by 


exception, network 
faults or outages in all 
components of the DII, 
including the Unclassi- 
fied-but-Sensitive Inter¬ 
net Protocol Router Network 
(NIPRNET), the Secret IP 
Router Network (SIPRNET), 
the Integrated Digital Network 
Exchange (IDNX), the Defense 
Red Switched Network (DRSN), 
commercial and military satel¬ 
lites, video teleconferencing, 
and applications such as the 
Global Command and Control 
System and the Defense Mes¬ 
sage System. These networks 
are managed through five sub¬ 
ordinate Regional Network Op¬ 




erations and Security Centers 
(RNOSCs), provide network 
management and control and 
CERT support by region, in¬ 
cluding the European, Pacific, 
Central Command, and United 
States areas of responsibility. In 
the event of a crisis, the 
GNOSC can manage, coordi¬ 
nate, and direct the actions of 
the RNOSC. 


20 


lAnewsletten / Fall 1999 


The GNOSC also is the DoD 
component responsible for the 
Joint Task Force-Computer 
Network Defense (JTF-CND). 
In this role, it synthesizes and 
reports CND-related informa¬ 
tion from all DoD organiza¬ 
tions—CINCs, Services, and 
Agencies—and provides direct 
access to technical and engi¬ 
neering expertise throughout 
DISA. The JTF-CND is co-locat- 
ed with DISA, and the JTF-CND 
Watch Officer sits in the same 
command center 
where the GNOSC 
performs network 
management. This re¬ 
lationship allows the 
JTF-CND to obtain 
real-time information 
about the networks 
that it defends, and 
permits the GNOSC, 
in coordination with 
the JTF-CND, to sug¬ 
gest appropriate re¬ 
sponses to an attack 
against the networks. 

The networks that 
the GNOSC manages and pro¬ 
tects can be likened to a 
weapons system. They must 
be monitored, managed, and 
manipulated so that they can 
be protected. One key to such 
network protection is the cor¬ 
rect identification of the caus¬ 
es of network incidents. Net¬ 
work faults, outages, and 
congestion can appear to re¬ 
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suit from computer network 
attacks, but might also be due 
to a cable cut caused by a back- 
hoe. Immediate analysis and 
deconfliction of events is es¬ 
sential for development of 
proper courses of action, in- 


The DoD-CERT, the fifth 
branch of the GNOSC, pro¬ 
vides network defense ser¬ 
vices through sensor monitor¬ 
ing, correlation of intrusion 
incident data, anti-virus prod¬ 
uct support to DoD, and reme¬ 



cluding recovery and reconsti¬ 
tution. The co-location of the 
JTF-CND and the GNOSC facil¬ 
itates such network defense. 

The GNOSC Operations 
branch also includes a Com¬ 
puter Network Defense As¬ 
sessment Team, a Worldwide 
Network Manager, and a 
Worldwide Satellite Manager. 
Each of these functions pro¬ 
vides information to the Sys¬ 
tems Control Officer (SCO), 
who ties all events together 
and is the customer's contact 
at the GNOSC. The SCO plays 
a crucial role in determining 
whether an event is a network 
or a security problem. Tb en¬ 
sure quality of service for the 
customer, the GNOSC Opera¬ 
tions branch addresses net¬ 
work performance issues and 
security. On the performance 
side, the Network and Satellite 
Managers monitor the global 
network picture and work 
closely with the RNOSCs to en¬ 
sure that customers have a re¬ 
sponsive and supportive net¬ 
work for a multitude of 
applications traversing the net¬ 
works. On the security side the 
Computer Network Defense 
Assessment Team, working 
closely with the customer, the 
JTF-CND, and the DoD CERT, 
helps to assess and prioritize 
the customer's problem and 
refer it to the proper branch of 
the DoD-CERT. 
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diation of the effects of intru¬ 
sive activity. It is the joint- 
level DoD-CERT for strategic 
technical coordination among 
all of the other Service and 
Agency CERTs and Computer 
Incident Response Teams 
(CIRTs) in DoD, and is the 
focal point for all computer in¬ 
cident and event reporting. 
Thus, it is the first place 
where a worldwide assess¬ 
ment of the status of CND 
throughout the DoD can be 
made. The DoD-CERT can cor¬ 
relate data from all Services 
and from the RNOSCs with 
data gathered directly by net¬ 
work sensor devices and then 
assemble a global picture of 
the defensive state of the net¬ 
work. 

In closing, the synergy that 
results from the co-location of 
the JTF-CND and the GNOSC 
cannot be overestimated. It is 
critical to the ability to see the 
networks that are being de¬ 
fended, and the ability to 
gauge the impact of an attack 
on a network by seeing its 
components. The synergy of 
the JTF-CND and the GNOSC 
is also critical to seeing how 
best to stop or contain an at¬ 
tack. But just as important are 
the relationships forged by 
working side by side, every 
day, allowing the JTF-CND 
and the GNOSC to react as one 
in protecting the DII. U 
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Major Laszlo is Deputy Operations 
Manager at the GNOSC. He received his 
B.S. in Geography from Portland State 
University in 1988. He is currently work¬ 
ing toward completing his M.S. in 
Information Resource Management from 
Central Michigan University. He may he 
reached at laszlor@ncr.disa.mil. 

Chief Warrant Officer Gardner is an 
information assurance officer at the 
GNOSC. He received his B.S. from Brown 
University and his M.B.A. from the 
University of Utah. He is currently com¬ 
pleting a M.S. in computer science from 
fames Madison University. He may he 
reached at garderh@ncr.disa.mil. 



Military and civilian professionals in 
DISA’s Global Network Operations and 
Security Center monitor the health and 
welfare of the Defense Information 
Infrastructure. 
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Computer Security lips 


Capt Elizabeth A. Siemers, USAF I 
_ DoD-CERT | 

W ith less than one 
month before the Year 
2000 (Y2K) rollover, many DoD 
and non-DoD organizations 
have asked the DoD-CERT how 
to protect their computer sys¬ 
tems from security threats dur¬ 
ing the Y2K rollover period. In 
response, the DoD-CERT has 
put together some tips and rec¬ 
ommendations for administra¬ 
tors of DoD computer systems. 

The DoD-CERT and many 
computer security experts 
warn system administrators 
that they can expect the follow¬ 
ing types of problems during 
the Y2K rollover: 


• Intruders may use the Y2K 
rollover period as a window 
of opportunity for intruding 
on DoD computer systems 

• Y2K problems may mimic a 
denial of service (DOS) 
attack 

• There may be an increase in 
"network noise" (probes and 
scans) 

• There may be an increase in 
malicious code infection 
(e.g., viruses, Trojan horses, 
and worms) 

• Intruders may exploit system 
administrators’ fears that a 
Y2K fix did not work or that 
Y2K testing was inadequate. 




Preparation 


The following 10 
recommendations 
address new vari¬ 
ants of malicious activity oc¬ 
curring on the Internet today 
(e.g., denial of service and E- 
mail tunneling attacks), as well 
as attacks intending disruption 
during Y2K (e.g., logic bombs). 
These recommendations are 
geared toward countering the 
actions of malicious insiders 
and outsiders who may initiate 
incidents during the Y2K 
rollover. 

Recommendations 

#g Security Patches-Imple- 

I ment all of the latest se¬ 
curity fixes or patches, espe¬ 
cially for mission-critical 
systems and servers that are 
likely targets. For information 
on current Information Assur¬ 
ance Vulnerability Alerts 
(IAVAs), see 

http: / / www. cert. mil. 

^ Anti-virus Signatures- 

Update all virus and in¬ 
trusion detection signatures. 
For current DoD anti-virus 
products and signatures, see 
http://www.cert.mil/virus/avi 
rus.htm. For current intrusion 


detection signatures, contact 
each product's vendor. 

Anti-virus Software on 
Mail Servers-This is a 
good time to implement anti¬ 
virus scanning at E-mail gate¬ 
ways, where it is not already in 
use. 

Secure System Configu¬ 
ration- Verify the securi¬ 
ty of system configurations, 
paying particular attention to 
countering the vulnerabilities 
and exploit scripts described in 
advisories leading up to the 
Y2K rollover period. Ensure 
that all systems are backed up 
before the Y2K rollover. For ad¬ 
ditional computer security ad¬ 
visories, see http://www. 
cert.org and http://ciac. 
llnl.gov. 

f Verify Trust Relation- 

4s / ships-Verify and confirm 
all remote access accounts, and 
delete all remote access ac¬ 
counts that cannot be positive¬ 
ly verified. 
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B Identify Mission Criti¬ 
cal Systems -1 de ntify 

systems that will be needed by 
legitimate users during the hol¬ 
iday period and ensure that 
protection of these systems is 
properly prioritized. 


^Verify and Enforce Se¬ 
curity Policy-Warn all 
users and administrators not to 
install any patches during the 
Y2K rollover period without 
confirmation from an autho¬ 
rized source that the patches 
are authentic. This effort is de¬ 
signed to counter an expected 
increase in hoaxes that warn of 
the urgent need to install Y2K 
or other patches or to update 
virus signatures. 


| Standardize Network 
^and System Time-Syn- 
chronize time on all systems 
and networks from a trusted 
source, such as tick.usnogps. 
navy.mil or tock.usnogps. 
navy.mil, to ensure that inci¬ 
dent reporting is not complicat¬ 
ed by timing inconsistencies. 



Cil Minimize Network 
m3? Traffic-Limit non-mis- 
sion-critical network traffic 
(e.g., Web surfing) during the 
rollover period so that problem 
areas on the networks can be 
more quickly identified. 

<#§ Establish a Normal 

i Baseline - Ju s t be¬ 

fore the Y2K rollover period, ob¬ 
serve system performance met¬ 
rics and establish baselines for 
ordinary activity. Use the base¬ 
lines to gauge unusual levels of 
disk activity, central processing 
unit (CPU) use or network traf¬ 
fic, thereby allowing earlier de¬ 
tection of viruses and denial of 
service attacks. 


The DoD-CERT and all re¬ 
gional and Service CERTk and 
CIRTk will maintain 24-hour-a- 
day operations during the Y2K 
rollover period to support the 
field CERTs and will maintain 
heightened awareness concern¬ 
ing all computer security-relat¬ 
ed events that may occur dur¬ 
ing that time. 

For up-to-date security infor¬ 
mation, users can visit the DoD- 
CERT Web site at either 
http: / / www. cert. mil o r 

http: //www . cert. disa. smil. mil. 
Users can also contact the DoD- 
CERT via the following meth¬ 
ods: 

DSN 327.4700 

Commercial 703.607.4700 
800.357.4231 


Unclassified E-mail: 

cert@cert.mil 
Classified E-mail: 

cert@cert.disa.smil.mil 
DSN Fax: 327.4009 

Comm. Fax: 703.607.4009 


Captain Elizabeth A. Siemers, USAF, 
is the Chief of Plans and Standards for 
the DoD Computer Emergency Response 
Tbam, Defense Information Systems 
Agency, Arlington, VA. She received her 
B.A. in history with a certificate in busi¬ 
ness administration from Indiana 
University in May 1995. Capt Siemers is 
now pursuing her M.S. in engineering 
management, with concentration in sys¬ 
tems engineering, from George 
Washington University in Washington, 
D. C. She may be reached at 
eas@cert.mil. 
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A Third Generation 
Log Analysis Tool 


T he typical computer net¬ 
work includes a variety of 
components, often including: 
routers, firewalls, intrusion de¬ 
tection systems (IDS), network 
sniffers, clients, and servers. 
Each of these components is 
capable of producing network 
activity logs of various types. 
These logs are often 
in a proprietary for¬ 
mat, adhering to no 
single standard. De¬ 
pending on the level 
of auditing and the ac¬ 
tivities monitored, 
logs can range from a 
few hundred kilobytes 
to several gigabytes in 
size. Furthermore, log 
formats may differ 
among different ver¬ 
sions of the same 
product. 

Modern security 
professionals and computer 
crimes investigators have only 
a few log analysis tools at their 
disposal, none ideally suited to 
the task. The crudest method 
correlates activity entries 
across many different log print¬ 
outs. With this method, even a 
highly trained individual can 
perform only limited analyses 
when the log files are very 
large. First-generation search 
tools (grep, perl scripts, etc.) 
are a better approach for per¬ 
forming searches on large data 
sets but require considerable 
skill to use. The tools must be 
configured for each log format 
and search effort. This ap¬ 
proach offers more efficiency, 


but skill and human error are 
still large factors. 

Several vendors of network 
security products have created 
second-generation log analysis 
tools. These tools are capable of 
more sophisticated searches 
and limited correlation analysis 
but typically work only with 


the vendor's proprietary log de¬ 
vices. Such tools are unsuitable 
for heterogeneous networks be¬ 
cause of their inability to ana¬ 
lyze different log formats gen¬ 
erated by other vendor's 
products. 

A new third-generation tool, 
produced by Sytex, addresses 
some shortcomings of the earli¬ 
er generation of products. This 
product, called SHERLOCK, 
can operate in heterogeneous 
network environments and im¬ 
port multiple types of log for¬ 
mats into standard databases. 

Sherlock has a platform-inde¬ 
pendent, Web-based interface 
and provides point-and-click 
generation of Structured Query 
Language (SQL) queries. It can 


be used by multiple investiga¬ 
tors to query multiple network 
logs simultaneously. 

Sherlock has features that fa¬ 
cilitate both immediate and ret¬ 
rospective analysis of network 
activity. For instance, it cap¬ 
tures log data directly from net¬ 
work devices, permitting im¬ 
mediate analysis of, 
and response to, po¬ 
tential intrusions. 
(Administrators can 
thus detect a port 
scan and then block 
the offending source 
Internet Protocol.) In 
addition, data are 
stored in read-only 
form to preserve in¬ 
truders' footprints in 
system logs. 

Sherlock was de¬ 
signed as an advanced 
network security ana¬ 
lytical tool, but it can be scaled 
to handle various types and 
sizes of log analysis efforts. In¬ 
formation on Sherlock may be 
obtained from the Sytex Infor¬ 
mation Warfare Center at 
www.iwce.net or, by phone at 
410.312.9114. g 

Keith J. Jones holds the position of 
"Software Development Team Leader" at 
Sytex, Inc. He currently works out of the 
Columbia, MD office with the rest of the 
technical operations team. Previously, he 
has completed two B.S. degrees in com¬ 
puter engineering and electrical engi¬ 
neering, and an additional M.S. degree 
in electrical engineering. Keith can be 
reached at the following e-mail address: 
kjones@sso. sytexxnc. com. 
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Robert P. Thompson 
Director, IATAC 


Leveraging the Technical 
Area Task (TAT) Program 


ne of the objectives of the 
Department of Defense 
(DoD) Information Analysis 
Center (IAC) Program is to 
maintain technical centers of 
excellence that can be called 
upon to facilitate use of existing 
scientific and technical informa¬ 
tion (STI) to meet DoD re¬ 
search, acquisition, operational, 
and logistics requirements. As a 
DoD institution, IATAC provides 
the foundation through which 
data gathering, studies, analy¬ 
ses, and other scientific and 
technical activities can be ac¬ 
complished. 

IAC operations are comprised 
of core functions and technical 
area task (TAT) activities. Core 
functions include basic services 
such as the collection of scien¬ 
tific and technical information 
(STI), inquiry support, database 
operations, current awareness 
activities (e.g., IAnewsletter), 
and generation of technical re¬ 
ports. TATS fall within the scope 
of the IAC mission but are not 


funded as a part of the IAC's 
basic services. Typically techni¬ 
cal and analytical in nature, 
TATS are more labor intensive 
and complex and may involve 
extensive gathering or creation 
of STI, analysis, and preparation 
and dissemination of the infor¬ 
mation. 

IATAC services available via 
the TAT program support a 
broad spectrum of information 
assurance technical disciplines. 
These capabilities include poli¬ 
cy and doctrine development, 
research and analyses, studies 
and reports, training and exer¬ 
cises, and conference and event 
planning. Technical disciplines 
(see fiugre below) include vari¬ 
ous aspects of information as¬ 
surance and information opera¬ 
tions to include certification and 
accreditation, computer foren¬ 
sics, biometrics, infrastructure 
protection, malicious code, pen¬ 
etration testing, psychological 
operations, public key infra¬ 
structure, and secure enterprise 


management to name a few. 
IATAC is providing TAT support 
to the plans and policy, research 
and development, acquisition, 
and operational communities. 

The products generated via 
the TAT are developed in re¬ 
sponse to requirements delin¬ 
eated by the requesting activity. 
In addition, products are en¬ 
tered into the IATAC collection 
thus contributing to the growth 
of the information assurance 
(IA) knowledge-base. Other 
DoD organizations can access 
the STI developed through the 
TAT and leverage prior research 
and analyses to support their IA 
requirements. Releasability of 
TAT products are coordinated 
with the originating organiza¬ 
tion to ensure compliance with 
secondary distribution instruc¬ 
tions. For more information on 
available products generated 
through the TAT program, con¬ 
tact IATAC at 703.289.5454 or 
iatac@dtic.mil. v 


CAPABILITIES 

Policy & Doctrine 
Studies & Reports 
Meetings & Conferences 
Research & Analysis 
Training & Exercises 


Certification & Accreditation 
Computer Forensics • Data Embedding 
Information Assurance/Operations 
Malicious Code Detection 
Ops Security • Penetration Testing 
Public Key Infrastructure 
Security Test & Evaluation 
Vulnerability Assessment 
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Data Mining CFS/TA 

This report 
provides an 
overview of 
data mining 
techniques, ap¬ 
plications, and 
COTS data min¬ 
ing software 



products. Data 
mining is used 
to discover pre¬ 
viously un¬ 
known and 

meaningful re- 
P lationships by 
sifting through large amounts of 
stored data. Data mining has ap¬ 
plications in marketing, infor¬ 
mation assurance, risk manage¬ 
ment, and fraud management. 
Tb help users select a product 
that best meets their objectives, 
data mining tool evaluation cri¬ 
teria are provided. A table sum¬ 
marizing the features of avail¬ 
able products is also provided. 


Intrusion Detection 
Tools Report 

This newly updated report 
provides an index of intrusion 
detection tool descriptions con¬ 
tained in the IA Tbols Database. 
Research for this report identi¬ 
fied 46 intrusion detection tools 
currently employed and avail¬ 
able. 


Data Embedding 
for IA SOAR 

Provides an assessment of the 
state-of-the-art in data embed¬ 
ding technology and its applica¬ 
tion to IA. It is particularly rele¬ 
vant to: information "providers" 
concerned about intellectual 
property protection and access 
control; information "con¬ 
sumers" who are concerned 
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about the security and validation 
of critical information; and law 
enforcement, military, and cor¬ 
porate organizations concerned 
about efforts to communicate 
covertly. The report has been 
specifically designed for readers 
who are not experts in data em¬ 
bedding. For more in-depth in¬ 
formation, the bibliography pro¬ 
vides an extensive list of 
authoritative sources from 
which the reader can obtain ad¬ 
ditional technical detail. 

Computer Forensics- 
Tools and Methodology 
This report provides a com¬ 
parative analysis of currently 
available software tools used in 
computer forensic examina¬ 
tions. It provides a useful intro¬ 
duction to this specific area of 
science, and offers practical 
high-level guidance on how to 
respond to computer system in¬ 
trusions. This report provides a 
useful analysis of specific prod¬ 
ucts, including their respective 
capabilities, unique features, 
cost, and associated vendors. 

Firewall Tools Report 
This report provides users 
with a brief description of avail¬ 
able firewall tools and contact in¬ 
formation. Currently the IA 
tools database contains 46 fire¬ 
wall tools that are available in 
the commercial marketplace. 

Malicious Code 
Detection SOAR 

This report includes is a tax¬ 
onomy for malicious software 
providing a better understand¬ 
ing of commercial malicious 
software. An overview of the 
state-of-the-art commercial prod¬ 
ucts and initiatives, as well as fu¬ 


ture trends is presented. The re¬ 
port presents observations and 
assertions to support the DoD as 
it grapples with this problem en¬ 
tering the 21st centuiy. This re¬ 
port is classified and has a limit¬ 
ed release. 

Modeling S. Simula**' 
tion Technical Report 

This report, released Decem¬ 
ber 1997, describes the models, 
simulations and tools being used 
or developed by organizations 
within DoD. 

Biometrics: Finger¬ 
print Identification 
Systems 

Focuses on fingerprint bio¬ 
metric systems used in the veri¬ 
fication mode. Such systems, 
often used to control physical ac¬ 
cess to secure areas, also allow 
system administrators access 
control to computer resources 
and applications. Information 
provided in this document is of 
value to anyone desiring to learn 
about biometric systems. The 
contents are primarily intended 
to assist individuals responsible 
for effectively integrating finger¬ 
print identification products into 
their network environments to 
support the existing security 
policies of their respective orga¬ 
nizations. 

Vulnerability Analysis 
Tools Report 

This report summarizes perti¬ 
nent information, providing 
users with a brief description of 
available tools and contact infor¬ 
mation. Currently the IA Tbols 
database contains descriptions 
of 35 tools that can be used to 
support vulnerability and risk 
assessment. 
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State-of-the-Art Reports 

□ Data Embedding for Information Assurance 

□ Malicious Code Detection [ □ TOP SECRET □ SECRET] 


Security POC 

Security Phone 


UNLIMITED DISTRIBUTION 

Newsletters (Limited number of back issues available) 



□ Vol. 1, No. 1 

□ Vol. 1, No. 2 

□ Vol. 1, No. 3 


0 Vol. 2, No. 1 

□ Vol. 2, No. 2 (soft copy only) 

□ Vol. 2, No. 3 

□ Vol. 2, No. 4 

□ Vol. 3, No. 1 

□ Vol. 3, No. 2 




Please list the Government Program(s)/Project(s) that the product(s) will be used to support:. 


Once completed, fax to IATAC at 703.289.5467 
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calendar 


February 

3 


IA Technical Framework 
Forum Meeting 

Linthicum, MD 
Call Mr. John Niemczuk 
410.684.6246 
http://www.iatf.net 



DISA 4th Annual IA Workshop 

Holiday Inn Hampton Hotel 
Hampton, VA 
Call Maureen Premo 
703.681.5789 or 
Tracy Grubar 703.681.7933 



AFCEA West 2000 

San Diego Convention Center 
San Diego, CA 


22-25 


SPACECOM 2000 

Space Communications—Key to 

Information Operations 

Colorado Springs, CO 

Call Michael J. Varner 

719.590.1051 

COME SEE OUR BOOTH! 


March 

14-15 


Federal Information Systems 
Security Education Assoc. Conf. 
Gaithersburg, MD 
http://csrc.nist.gov/organizations 
/fissea.html 


March 

16 


27-31 


April 

3-5 

25-27 


June 

5-9 



Information Assurance Technology Analysis Center 
3190 Fairview Park Drive 
Falls Church, VA 22042 


Information Assurance 

Technical Framework Forum 

Linthicum, MD 

Call Mr. John Niemczuk 

410.684.6246 

http://www.iatf.net. 

DoDIIS IA Training Forum 
Bolling AFB, Washington DC 
Call Mr. Paul Woeppel 
210.977.3396 or 
Mr. John Venit 202.231.5818 

InfoSec World Conf & Expo 
Orlando, FL 
Call 508.879.7999 
www.misti.com 

Fiesta Informacion 2000 

San Antonio, TX 

Call J. Spargo & Associates 

703.631.6200 

COME SEE OUR BOOTH! 

2000 Annual USPACOM 
IA Conference 
llikai Hotel, Honolulu, HI 
Call Maj Veronica Baker 
808.477.1046 
vlbakerO@hq.pacom.mil 




